In 2008, Verizon Business published a Data Breach Investigations Report, drawing information from over 500 forensic investigations involving 230 million records. These were handled by the Verizon Business Investigative Response team over a four year period between 2004 and 2007. This was followed with a supplemental report which looked specifically at trends in data compromise in four specific industry groups, financial services, retail, food and beverage and technology services.

The reports gave an objective, first-hand view of real-life data breaches and, most importantly, factual evidence and a wealth of data from which Verizon Business has been able to draw a better understanding of the sources and methods of data compromise stories, and hence develop an informed approach to help customers better protect themselves against potential compromise. In essence, by enhancing our understanding of past data breach issues, we are better prepared to help our customers prevent such breaches from happening again.

Identifying the hackers

Hackers used to break into web sites and networks for curiosity, fun, to alleviate boredom, or for fame.  Hackers such as Fluffy Bunny, who famously defaced the internet watchdogs of SANS amongst others, would replace the home page of an Internet site with a message stating simply you've been hacked" and a picture of a rabbit.  However, these days unauthorised access to data, or data breaches, are typically perpetuated for profit. And the investigations show that payment card information is a key target - this was the focus in 84% of the investigations carried out in the period analysed in the report.

The investigations demonstrated that attacks come from one of three avenues:

• External - people who are not part of, and have no business relationship with the breached organisation;
• Internal - people who form part of the breached organisation's own enterprise, whether as an employee, on site contractor, or consultant; and
• Partner - those who form part of the organisation's extended enterprise, including any third party sharing a business relationship with the organisation, including partners, vendors, suppliers, contractors and customers.

The data also showed that overall; the majority of attacks come from outside the compromised organisation. This accounted for over 73% of cases investigated. Partners in the extended enterprise came next, with 39%, and internal a significantly lower 18%.

The number of breaches investigated originating from partner sources has actually dramatically increased over the course of the study - from 8% to 44%. This is no doubt driven by the general trend towards the outsourcing of business functionality. Information is, of course, the lifeblood of the extended enterprise, and flows far beyond the boundaries of any single organisation, with partners increasingly involved in its access and delivery. For this reason, some level of trust and privilege is usually implied between business partners, but correspondingly, the risk attached to partner breaches is also high.

The data also showed the impact of data breaches within specific industry sectors:

• Financial Services - organisations are typically well protected in comparison to other industries, with only 14% of breaches. This is why convenience store robberies have always outnumbered bank robberies;
• Retail - accounts for the most significant proportion of breaches at 35%;
• Food and Beverage - in combination with Retail, this sector accounted for more than half of all data breach cases; and
• Technology Services - this sector, which includes software firms, data warehousing companies, telecommunication providers, etc, accounted for only 10% of breaches. Given the many reports of data breaches involving educational institutions in recent years, it may be surprising to some that these account for a relatively small proportion of the data set.

The financial services sector

With regards to the financial services sector in particular, the caseload shows that attacks originate primarily from North America. The study also saw a trend towards more targeted, focused, multi-faceted attacks. Through collaboration with law enforcement agencies, we were able to confirm several instances of US-based attackers with ties to foreign organised crime groups, many of which reside in Eastern Europe.

The study also showed that the origins of data breaches are also somewhat different between the different industry sectors.The highest overall origination of the data breaches investigated is still external sources, but the financial services industry shows a far lower incidence of external data breach than other industries. Conversely, this sector shows a far higher incidence of internal data breach than most other groups.  The opportunity to access sensitive and valuable resources is presumably a temptation too hard for some to resist; this also could account for the sector having the highest incidence of partner breach sources.

Knowing the most likely avenue of attack and the source location of the attack are interesting in themselves, but businesses are, of course, more interested in knowing what losses are likely to be associated with an attack.  Verizon Business uses the average number of records in the data breaches to calculate a relative risk - a pseudo risk score.  This does not mean Verizon is asserting that the consequences of a breach are limited to the number of records compromised; we use this measure merely as an indicator of the overall financial impact.  The table overleaf compares the overall pseudo risk for the different industry sectors measured in the report.  The financial services sector is the only group where internal breaches rank as the highest risk source; for every other sector, partners bring the highest risk score.

In summary, the pseudo risk of the data breaches investigated from external sources is minimal in comparison to the risk of breach from the internal and partner groups.  This illustrates that financial services organisations are in general doing a good job at protecting their information assets from external breach; their attention is therefore better focused on protecting information assets from risks associated with internal and partner sources. 

Reducing risk

The research showed that incidents where partners are involved in an attack, whether intentionally or unintentionally, is rising sharply.  Partner incidents are generally harder to combat than insider attacks, as the partner environment is obviously outside the control of the core organisation. However, a large proportion of the incidents we see would likely have been avoided through the implementation of basic partner-facing security measures. Implementing partner assessments against a set of essential controls, using contracts that clearly delineate responsibilities and liabilities, improving provisioning, management and de-provisioning of partner connections and accounts, and adhering to the principle of least privilege are all viewed as beneficial in managing partner-related risk.

Internal risk can be reduced by ensuring that data is only available to those that have a clear need to know, and by paying special attention to end users (who are responsible for 53% of attacks).  Generally end users need to perform only very simplistic attacks to gain access to sensitive data and often do no more than explore the privileges granted to them by system administrators.  Proper provisioning and de-provisioning of accounts using role-based access control and logging data access can go a long way towards reducing this threat.

Conclusion

The moral of the story for the financial services sector is that, although internal personnel remain the highest risk to their business, partners should also be an increasing area of focus. But with knowledge comes power, and knowing the challenges they face has the potential to enable financial services organisations to significantly reduce their exposure to data breach risk.

This article was based on the Verizon Data Breach Investigations Report.